A PCI DSS policy on access control should include which of the following?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI DSS Test with detailed questions and explanations. Use flashcards and quizzes to enhance knowledge. Ensure you're ready for your certification exam!

Multiple Choice

A PCI DSS policy on access control should include which of the following?

Explanation:
In PCI DSS, the access control policy needs to translate who can access cardholder data into clear, enforceable rules by role. Defining access needs and privilege assignments for each role establishes the minimum privileges required for that role and ties those rights to documented responsibilities. This supports least-privilege access, need-to-know, and accountability, and it provides a solid basis for provisioning, reviewing, and revoking access as people change roles or leave the organization. The other options undermine security: granting all privileges to all admin users eliminates least-privilege controls; allowing access to privileged IDs for all staff breaks separation of duties and increases risk; and claiming no documentation is required directly contradicts PCI DSS requirements that policies governing access control be documented and maintained.

In PCI DSS, the access control policy needs to translate who can access cardholder data into clear, enforceable rules by role. Defining access needs and privilege assignments for each role establishes the minimum privileges required for that role and ties those rights to documented responsibilities. This supports least-privilege access, need-to-know, and accountability, and it provides a solid basis for provisioning, reviewing, and revoking access as people change roles or leave the organization.

The other options undermine security: granting all privileges to all admin users eliminates least-privilege controls; allowing access to privileged IDs for all staff breaks separation of duties and increases risk; and claiming no documentation is required directly contradicts PCI DSS requirements that policies governing access control be documented and maintained.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy